security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,959 Commits 1 Branch 57 Tags
7b64ab552f94de507753860b6ff0268d4a656321
Commit Graph

78 Commits

Author SHA1 Message Date
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Nate Guagenti f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:13:18 -04:00
Nate Guagenti a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:10:25 -04:00
Nate Guagenti 76910eaee4 fix sub field name usage if there are 3 or more fields.. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:57 -04:00
Nate Guagenti 0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:33 -04:00
Thomas Patzke 01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
David Straßegger 875360f373 fixed wrong function call for elastalert aggregation. fixes #940 2020-07-20 14:32:30 +02:00
Thomas G 8c61dc9248 Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Thomas Patzke fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke 24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Thomas Patzke 7224af54b2 Merge pull request #664 from j91321/es-rule-options 
es-rule backend options for index-patterns and time interval
 2020-04-08 22:39:45 +02:00
j91321 3470011ac3 Revert time interval, use index values provided by sigmaparser 2020-04-05 20:30:57 +02:00
Thomas Patzke 004eaf0615 Revert "do not escape u" 
This reverts commit aa112cbd44.

This was a fix for a previous bug.
 2020-03-24 23:36:12 +01:00
neu5ron aa112cbd44 do not escape u 2020-03-18 08:51:38 -04:00
neu5ron 17318b48bf - fix agg_option keyword 
- remove (now) unnecessary other hardcoded `.keyword` locations
 2020-03-18 08:50:37 -04:00
j91321 f0c83ae3b4 Added es-rule backend options 2020-03-15 13:03:20 +01:00
neu5ron 55bf39a2ac keyword, analyzed field, case insensitivity 2020-03-11 11:38:56 -04:00
Thomas Patzke d9b48ea747 Fixes in es-rule backend 2020-02-24 23:20:19 +01:00
vh 5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
Anastasios Zouzias 3c7f522017 add .keyword on aggs; add extra unit test 2019-11-14 14:34:50 +01:00
Anastasios Zouzias e7ed0fa9ea added unit test 2019-11-12 14:06:10 +01:00
Anastasios Zouzias 324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke 465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke 8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke 2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Thomas Patzke 849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke d4f89ebc1c Aggregation on keyword field in es-dsl backend 
* Fixes #452
* Further fixed reference to count in restriction of results
 2019-09-29 23:18:17 +02:00
Thomas Patzke 19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
herrBez 8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
Thomas Patzke 30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke 3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Michiel Meersmans 0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Thomas Patzke 805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke 1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
christophetd 576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
Thomas Patzke 0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook 
Added timestamp filter query.
 2019-06-27 08:54:59 +03:00
Thomas Patzke 673973e523 Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke 8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER 89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER 748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Thomas Patzke 04d91573f3 Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Florian GAULTIER d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER 4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00